Monday, November 29, 2010

Each year the web security community produces a stunning amount of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, web browsers, web proxies, and so on. We are NOT talking about individual vulnerabilities with CVE numbers, nor any particular system compromise, but the actual new methods of Web-based attack. To keep track of all these discoveries and encourage information sharing, the Top Web Hacking Techniques acts as both a centralized knowledge base and a way to recognize researchers who contribute excellent work.

The selection process for 2010 will be a little different. Last year in 2009, where over 80 new attack techniques were recorded, the winners were selected solely by a panel of panel of distinguished security experts. This year we'd like you, the Web security community, to have the opportunity to vote for your favorite research. From the voting results the most popular 15 entries will be those judged by our panel of experts on the basis of novelty, impact, and overall pervasiveness to decide the Top Ten Web Hacking Techniques of 2010. Researchers topping the 2010 list may expect to receive praise amongst their peers as have those in past years (2006, 2007, 2008, and 2009). Right now I’m working on a really cool set of prizes for #1.

Then at IT-Defense 2011 (Feb.) it will be my great honor to introduce each of the top ten during my “Top Ten Web Hacking Techniques of the Year (2011)” presentations. Each technique will be described in technical detail for how they function, what they can do, to whom, and how best to defend against them. The audience will get an opportunity to better understand the newest Web-based attacks believed most likely to be used against us in the future.

To make all this happen we are going to need a lot of help from the community. At the bottom of this post will be the living master list of everything recorded. If anything is missing please comment containing the link to the research. Or maybe you think something should not be on the list. That's cool, but please explain why. While clearly not every technique is as powerful as another, please make every effort to include them anyway. Nothing should be considered too insignificant. Sometimes several issues can be combined for amazingly effective techniques.

Although you've said to not post CVE or website issues, there are something that never will be fixed or suggest some methods. I can see some of them in the selected techniques. Please check this out as well:

@Soroush: tools are cool, but csrf-poc-template-by-js doesn't appear to have a new technique involved. Secondly, would you consider the "IIS5.1 Directory Authentication Bypass" as containing a new filter-evasion technique in there? Something that might apply elsewhere?

You are right about that tool which only makes csrf easier.I only have 1 thing to say about using Folder:$I30:$Index_Allocation:I couldn't find any other source that use the same technique to open a directory in win.NTFS. As all of the windows directories are accessible by this technique, it can even bypass some other folder's protection for example in file uploading and so on. I also had written a trick by using similar ADS in the last bullet of section 4 in:http://soroush.secproject.com/downloadable/Improve%20File%20Uploaders%E2%80%99%20Protections.pdf

Now, it's still up to you. I just wanted to keep this in the list if it is really related.

Padding oracles!! my top 1, actual new method, powerful,high impact, most web dev platforms affected, remote IIS in 2010, JSF, RoR and lots of apps. Thumbs up to all the remote server attcks! too much client side stuff in the list is the same than years ago with a little change.

@SecNiche: thanks for the contribution. I added 3 of the 6 you commented, #54 - #56. The others, while interesting articles, did not appear to be new techniques. More using older techniques, while still valid, to attack more modern systems. Good luck!

Probably it's too late but still good to be in the list for the future reference:-Breaking HTML parsers for funhttp://www.thespanner.co.uk/2010/11/25/breaking-html-parsers-for-fun/-setTimeout and setIntervalhttp://www.thespanner.co.uk/2010/09/10/settimeout-and-setinterval/-JSReg bypasses:http://www.thespanner.co.uk/2010/10/31/jsreg-bypasses/http://code.google.com/p/jsreg/wiki/Exploitshttp://rgaucher.info/planet/The_Spanner/2010/11/07/Soroush_Dalili_breaks_JSReg_again-x5s - test encodings and character transformations to find XSS hotspotshttp://xss.codeplex.com/http://www.lookout.net/2010/12/20/list-of-characters-for-testing-unicode-transformations-and-best-fit-mapping-to-dangerous-ascii/-Facebook Redirect Link – New Bypass Method – “:/” after the domain namehttp://soroush.secproject.com/blog/2010/12/facebook-redirect-link-new-bypass-method-%E2%80%93-%E2%80%9C%E2%80%9D-after-the-domain-name/-;)

How come the best server side findings and techniques (Struts/JBoss/Spring) from Meder didn't make into the list? . Also, where is the Java Trusted Method Chaining by Sami Koivu?

You might argue with the "no CVE rule" but there is no clear cut between techniques and bug in these cases actually. For example, in order to have a successful attack on ASP.NET, POET need to exploit bug of ASP.NET implementation/configuration but you have POET on the list]

@zdx: "making the list" is subject to me finding it through my personal efforts or people submitting them on their own, with some light validation of course. That's a big reason for the effort, to capture everything that's been learned over the past year and not have it get lost in the ether as has been the problem in years past.

If you can supply the best reference links to the attacks you mentioned, I'd be very happy to review them for inclusion on the big list. The CVE mention was just an indication that we want "new" technique, not individual bug instances.

I like to add a vulnerability which I found during a gray box testing.. Its a type of back refresh attack. For mitigating back refresh attack we use a 302 redirect in successful operation. But in one of my app i tested there was a password policy saying password cant change withing 30 days. attack is If the user try to change the password withing 30 days it will respond with a 200 ok response. For a successful change adversary cant do anything.. But if the password changing failed due to some reason(password policy, new & conform password mismatch.. etc)attacker can exploit the back refresh option of the browser and can capture the request in proxy.

@shinto143: The back button attack you describe, cool as it is, has actually been documented and demoed in years past. Don't have time to find the reference at the moment. And your Google Hacking concept has been around for a while, I don't see any "new techniques" described.

@Marcus Niemietz: thanks for the submission. I can certainly add it to the big list, but can't get it voted on now since the process has commenced.